Sharing personal data for public service reform - ethically, legally, responsibly
Over the past few months, Nesta has been working with the GLA and more than a dozen London boroughs on a pilot for a London Office for Data Analytics (LODA), inspired by New York’s Mayor’s Office for Data Analytics (MODA).
Naturally, London’s will be different - because London government is set up differently. There are five boroughs in New York for example, and 32 local authorities (plus the City of London) in the UK’s capital. We may also have the benefit of new technologies, such as machine learning, that weren’t available commercially when the MODA was set up.
The model is intended to support the reform and improvement of public services at a city-wide scale. From the outset, it has been clear that many public sector issues involve the use - and sometimes sharing - of personal data. Clearly, this should only be done where it is legal, ethical, and in the public interest to do so. Many people working in the public sector find the prospect of correctly tackling these data issues onerous.
In this blog I’d like to share some techniques to build confidence, help make information sharing decisions routine and encourage local authority staff to be open to sharing.
I wasn't an expert when I started looking at information sharing and it seemed very scary. Since then I’ve worked on a number of information sharing projects, unblocking real and perceived barriers. This includes within a single local authority breaking down a line of business silos, across different sectors such as health and social care - and now for the LODA pilot, between London local authorities.
Anyone wishing to use personal data in the context of public services needs to take care to find an ethical and proportionate balance between the risks of sharing information as opposed to the risks of not sharing. The latter is often underplayed. Getting the balance right between real world risks and information sharing risks does matter, and in cases such as baby Peter Connelly, it can make the difference between life and death.
In my experience, sound, ethical, balanced, proportionate judgement is what public servants in local government are good at. The reason why their job exists is, after all, to provide the best quality, fastest, most joined up, safest services for the public, at the lowest cost to the public purse.
So how can local authorities go about using personal datasets? My advice would be as follows:
Minimise the use of personal and sensitive data. If you can achieve the desired outcome by using non-personal or anonymised data then do so. If you are not sure if it is personal data, check the data protection definitions provided by the Information Commissioner’s Office (ICO).
- Check whether decisions have already been made as to whether particular datasets can be shared. You can search for existing legal gateways and decisions by the ICO or information rights tribunals.
Understand the relevant roles. It’s the job of a data controller to make the judgement about sharing: balancing privacy risks against real world risks to citizens. It’s the job of lawyers to advise but not to make the decision. It’s the job of leaders to be brave and support a change of culture around decision making and proportionate information sharing.
Defer to and build trust with data controllers. Engage them early in any proposed initiative to get their advice and expertise. Get all the issues and blockages out on the table, as you would for any project risk management exercise. Sometimes the legal barriers are perceived rather than real - so see if there is a way to mitigate problems or find another way round. It’s the data controllers’ responsibility to make sure the data is correct and complete with no duplicates. And they get to decide who else it can be shared with. They know the most about their functions and the legal basis for their team’s work.
How should we weigh up whether or not to share?
With your best public servant hat on, consider your duty to the public and citizens first. If that duty indicates that personal data needs to be used, start from the mindset that you want to share - and work back. The approach that I have found most useful is using the ICO privacy impact assessment, which enables you to look at the pros and cons of sharing information in a balanced way.
This is not paperwork for paperwork's sake. It’s a passport. Nobody will hand over any data to you without it. It will take a day to write and a few days to get feedback and it’s a worthwhile investment in time. You need to prove you understand the privacy issues and that it’s legal to share. Here is a great resource to check for legal gateways for sharing, courtesy of the Information Sharing Centre of Excellence.
If you are a data controller, you will want to get some input from other people - your management and legal teams for example - especially if it’s a major privacy issue. Bear in mind that lawyers are there to advise and that their job is to point out risks not benefits. It’s your job to follow a sensible process and balance the legal advice around risk against the real world risks.
Decisions are never perfect. They have to be reasonable and proportionate based on the information you have at the time. But if we stand back, lift our heads up and have confidence in our own judgement and moral compass, and leaders who trust us to do so, then these decisions can be made more quickly and with assurance.